How hospitals can prepare for the next WannaCry-style cyberattack
We are nearing the second anniversary of WannaCry, a cyberattack that spread to more than 150 countries, infected 600,000 computers and cost victims a total of $4 billion. Healthcare was not spared, with ransomware demands and medical device hacks that crippled health systems and put patients at potential harm.
However, some two years later, too many health systems are still not properly equipped to combat the myriad attacks that could penetrate their networks. They grapple daily with an onslaught of cybersecurity threats, both to patient data and the systems in use to provide life-saving care.
Here are some of the strategies that cybersecurity leaders in the College of Healthcare Information Management Executives (CHIME) and the Association for Executives in Healthcare Information Security (AEHIS) recommend to reduce those potential risks.
- Adopt a standardized security framework. Self-developed frameworks may comply with Health Insurance Portability and Accountability Act (HIPAA) requirements but that does not equate to good cybersecurity hygiene. The good news is that many hospitals and health systems have begun to use cybersecurity frameworks like the National Institute of Standards and Technology’s, according to an analysis of the 2018 CHIME HealthCare’s Most Wired survey data. But almost 1 in 5 of participants reported that they still use self-developed frameworks, too.
- Build a comprehensive security program. That includes having a senior security leader, an adequate budget, governance and oversight committees, and progress reporting. A 2017 study by CHME and KLAS found that nearly all organizations have someone in charge of their security program, though that role is sometimes filled by someone who is not solely dedicated to IT security. More than half of organizations still developing their security program were spending less than 3 percent of their total IT budget on security.
- Don’t focus solely on electronic health records. Healthcare organizations are largely adopting a risk-based approach to cybersecurity and risk mitigation. Unfortunately, to date, much of the risk assessment efforts have been limited to risks posed by EHRs and not across the entire enterprise. As technology has proliferated in healthcare, it is imperative that risk is characterized accordingly.
- Know your inventory. A 2018 CHIME-KLAS study on the security of medical devices reported that the average number of connected medical devices was approximately 10,000 per healthcare organization. Yet it is not unusual for CIOs and CISOs to routinely discover devices and applications that were not previously known to be operating on their network. About half of the study’s respondents cited organizational factors as the cause of medical device security issues. Streamlining procurement of devices, systems and technology across a healthcare organization can help to better manage medical device inventory.
- Patching protocols. Organizations must be resourceful when it comes to patching. CHIME and AEHIS members say they actively reach out to vendors to find out when patches are available; sometimes they patch devices themselves, and sometimes they have the vendor do it for them. They have also begun requesting that vendors use contract language that clearly outlines patching responsibilities and timelines.
The 2018 CHIME-KLAS report estimated that 33 percent of devices within a healthcare organization are “unpatchable,” with that estimate likely higher in under-resourced and rural healthcare organizations. Defining “end-of-life” for the security of a device when the its useful life may far exceed its security capabilities is a challenge. For most healthcare organizations, margins are tight and capital expenditures are established years in advance. The costs associated with deeming a device to be “end-of-life,” especially in rural and underserved areas, cannot be understated.
There is often not a direct correlation between cybersecurity end-of-life and useful end-of-life, thus policies that carefully define end-of-life must be in place to address the discrepancy. We encourage healthcare organizations to use the practices listed here to harden their cyber defenses—and to call on Congress and federal agencies to address vulnerabilities like this end-of-life example.
After all, patients’ privacy and safety are at stake.